apiVersion: "config.istio.io/v1alpha2" kind: attributemanifest metadata: name: istioproxy namespace: {{ .Release.Namespace }} spec: attributes: origin.ip: valueType: IP_ADDRESS origin.uid: valueType: STRING origin.user: valueType: STRING request.headers: valueType: STRING_MAP request.id: valueType: STRING request.host: valueType: STRING request.method: valueType: STRING request.path: valueType: STRING request.reason: valueType: STRING request.referer: valueType: STRING request.scheme: valueType: STRING request.total_size: valueType: INT64 request.size: valueType: INT64 request.time: valueType: TIMESTAMP request.useragent: valueType: STRING response.code: valueType: INT64 response.duration: valueType: DURATION response.headers: valueType: STRING_MAP response.total_size: valueType: INT64 response.size: valueType: INT64 response.time: valueType: TIMESTAMP source.uid: valueType: STRING source.user: # DEPRECATED valueType: STRING source.principal: valueType: STRING destination.uid: valueType: STRING destination.principal: valueType: STRING destination.port: valueType: INT64 connection.event: valueType: STRING connection.id: valueType: STRING connection.received.bytes: valueType: INT64 connection.received.bytes_total: valueType: INT64 connection.sent.bytes: valueType: INT64 connection.sent.bytes_total: valueType: INT64 connection.duration: valueType: DURATION connection.mtls: valueType: BOOL connection.requested_server_name: valueType: STRING context.protocol: valueType: STRING context.timestamp: valueType: TIMESTAMP context.time: valueType: TIMESTAMP # Deprecated, kept for compatibility context.reporter.local: valueType: BOOL context.reporter.kind: valueType: STRING context.reporter.uid: valueType: STRING api.service: valueType: STRING api.version: valueType: STRING api.operation: valueType: STRING api.protocol: valueType: STRING request.auth.principal: valueType: STRING request.auth.audiences: valueType: STRING request.auth.presenter: valueType: STRING request.auth.claims: valueType: STRING_MAP request.auth.raw_claims: valueType: STRING request.api_key: valueType: STRING --- apiVersion: "config.istio.io/v1alpha2" kind: attributemanifest metadata: name: kubernetes namespace: {{ .Release.Namespace }} spec: attributes: source.ip: valueType: IP_ADDRESS source.labels: valueType: STRING_MAP source.metadata: valueType: STRING_MAP source.name: valueType: STRING source.namespace: valueType: STRING source.owner: valueType: STRING source.service: # DEPRECATED valueType: STRING source.serviceAccount: valueType: STRING source.services: valueType: STRING source.workload.uid: valueType: STRING source.workload.name: valueType: STRING source.workload.namespace: valueType: STRING destination.ip: valueType: IP_ADDRESS destination.labels: valueType: STRING_MAP destination.metadata: valueType: STRING_MAP destination.owner: valueType: STRING destination.name: valueType: STRING destination.container.name: valueType: STRING destination.namespace: valueType: STRING destination.service: # DEPRECATED valueType: STRING destination.service.uid: valueType: STRING destination.service.name: valueType: STRING destination.service.namespace: valueType: STRING destination.service.host: valueType: STRING destination.serviceAccount: valueType: STRING destination.workload.uid: valueType: STRING destination.workload.name: valueType: STRING destination.workload.namespace: valueType: STRING --- apiVersion: "config.istio.io/v1alpha2" kind: stdio metadata: name: handler namespace: {{ .Release.Namespace }} spec: outputAsJson: true --- apiVersion: "config.istio.io/v1alpha2" kind: logentry metadata: name: accesslog namespace: {{ .Release.Namespace }} spec: severity: '"Info"' timestamp: request.time variables: sourceIp: source.ip | ip("0.0.0.0") sourceApp: source.labels["app"] | "" sourcePrincipal: source.principal | "" sourceName: source.name | "" sourceWorkload: source.workload.name | "" sourceNamespace: source.namespace | "" sourceOwner: source.owner | "" destinationApp: destination.labels["app"] | "" destinationIp: destination.ip | ip("0.0.0.0") destinationServiceHost: destination.service.host | "" destinationWorkload: destination.workload.name | "" destinationName: destination.name | "" destinationNamespace: destination.namespace | "" destinationOwner: destination.owner | "" destinationPrincipal: destination.principal | "" apiClaims: request.auth.raw_claims | "" apiKey: request.api_key | request.headers["x-api-key"] | "" protocol: request.scheme | context.protocol | "http" method: request.method | "" url: request.path | "" responseCode: response.code | 0 responseSize: response.size | 0 requestSize: request.size | 0 requestId: request.headers["x-request-id"] | "" clientTraceId: request.headers["x-client-trace-id"] | "" latency: response.duration | "0ms" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) requestedServerName: connection.requested_server_name | "" userAgent: request.useragent | "" responseTimestamp: response.time receivedBytes: request.total_size | 0 sentBytes: response.total_size | 0 referer: request.referer | "" httpAuthority: request.headers[":authority"] | request.host | "" xForwardedFor: request.headers["x-forwarded-for"] | "0.0.0.0" reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") monitored_resource_type: '"global"' --- apiVersion: "config.istio.io/v1alpha2" kind: logentry metadata: name: tcpaccesslog namespace: {{ .Release.Namespace }} spec: severity: '"Info"' timestamp: context.time | timestamp("2017-01-01T00:00:00Z") variables: connectionEvent: connection.event | "" sourceIp: source.ip | ip("0.0.0.0") sourceApp: source.labels["app"] | "" sourcePrincipal: source.principal | "" sourceName: source.name | "" sourceWorkload: source.workload.name | "" sourceNamespace: source.namespace | "" sourceOwner: source.owner | "" destinationApp: destination.labels["app"] | "" destinationIp: destination.ip | ip("0.0.0.0") destinationServiceHost: destination.service.host | "" destinationWorkload: destination.workload.name | "" destinationName: destination.name | "" destinationNamespace: destination.namespace | "" destinationOwner: destination.owner | "" destinationPrincipal: destination.principal | "" protocol: context.protocol | "tcp" connectionDuration: connection.duration | "0ms" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) requestedServerName: connection.requested_server_name | "" receivedBytes: connection.received.bytes | 0 sentBytes: connection.sent.bytes | 0 totalReceivedBytes: connection.received.bytes_total | 0 totalSentBytes: connection.sent.bytes_total | 0 reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") monitored_resource_type: '"global"' --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: stdio namespace: {{ .Release.Namespace }} spec: match: context.protocol == "http" || context.protocol == "grpc" actions: - handler: handler.stdio instances: - accesslog.logentry --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: stdiotcp namespace: {{ .Release.Namespace }} spec: match: context.protocol == "tcp" actions: - handler: handler.stdio instances: - tcpaccesslog.logentry --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestcount namespace: {{ .Release.Namespace }} spec: value: "1" dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestduration namespace: {{ .Release.Namespace }} spec: value: response.duration | "0ms" dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: requestsize namespace: {{ .Release.Namespace }} spec: value: request.size | 0 dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: responsesize namespace: {{ .Release.Namespace }} spec: value: response.size | 0 dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.host | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" request_protocol: api.protocol | context.protocol | "unknown" response_code: response.code | 200 connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: tcpbytesent namespace: {{ .Release.Namespace }} spec: value: connection.sent.bytes | 0 dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.name | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: metric metadata: name: tcpbytereceived namespace: {{ .Release.Namespace }} spec: value: connection.received.bytes | 0 dimensions: reporter: conditional((context.reporter.kind | "inbound") == "outbound", "source", "destination") source_workload: source.workload.name | "unknown" source_workload_namespace: source.workload.namespace | "unknown" source_principal: source.principal | "unknown" source_app: source.labels["app"] | "unknown" source_version: source.labels["version"] | "unknown" destination_workload: destination.workload.name | "unknown" destination_workload_namespace: destination.workload.namespace | "unknown" destination_principal: destination.principal | "unknown" destination_app: destination.labels["app"] | "unknown" destination_version: destination.labels["version"] | "unknown" destination_service: destination.service.name | "unknown" destination_service_name: destination.service.name | "unknown" destination_service_namespace: destination.service.namespace | "unknown" connection_security_policy: conditional((context.reporter.kind | "inbound") == "outbound", "unknown", conditional(connection.mtls | false, "mutual_tls", "none")) monitored_resource_type: '"UNSPECIFIED"' --- apiVersion: "config.istio.io/v1alpha2" kind: prometheus metadata: name: handler namespace: {{ .Release.Namespace }} spec: metrics: - name: requests_total instance_name: requestcount.metric.{{ .Release.Namespace }} kind: COUNTER label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - request_protocol - response_code - connection_security_policy - name: request_duration_seconds instance_name: requestduration.metric.{{ .Release.Namespace }} kind: DISTRIBUTION label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - request_protocol - response_code - connection_security_policy buckets: explicit_buckets: bounds: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10] - name: request_bytes instance_name: requestsize.metric.{{ .Release.Namespace }} kind: DISTRIBUTION label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - request_protocol - response_code - connection_security_policy buckets: exponentialBuckets: numFiniteBuckets: 8 scale: 1 growthFactor: 10 - name: response_bytes instance_name: responsesize.metric.{{ .Release.Namespace }} kind: DISTRIBUTION label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - request_protocol - response_code - connection_security_policy buckets: exponentialBuckets: numFiniteBuckets: 8 scale: 1 growthFactor: 10 - name: tcp_sent_bytes_total instance_name: tcpbytesent.metric.{{ .Release.Namespace }} kind: COUNTER label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - connection_security_policy - name: tcp_received_bytes_total instance_name: tcpbytereceived.metric.{{ .Release.Namespace }} kind: COUNTER label_names: - reporter - source_app - source_principal - source_workload - source_workload_namespace - source_version - destination_app - destination_principal - destination_workload - destination_workload_namespace - destination_version - destination_service - destination_service_name - destination_service_namespace - connection_security_policy --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promhttp namespace: {{ .Release.Namespace }} spec: match: context.protocol == "http" || context.protocol == "grpc" actions: - handler: handler.prometheus instances: - requestcount.metric - requestduration.metric - requestsize.metric - responsesize.metric --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: promtcp namespace: {{ .Release.Namespace }} spec: match: context.protocol == "tcp" actions: - handler: handler.prometheus instances: - tcpbytesent.metric - tcpbytereceived.metric --- apiVersion: "config.istio.io/v1alpha2" kind: kubernetesenv metadata: name: handler namespace: {{ .Release.Namespace }} spec: # when running from mixer root, use the following config after adding a # symbolic link to a kubernetes config file via: # # $ ln -s ~/.kube/config mixer/adapter/kubernetes/kubeconfig # # kubeconfig_path: "mixer/adapter/kubernetes/kubeconfig" --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: kubeattrgenrulerule namespace: {{ .Release.Namespace }} spec: actions: - handler: handler.kubernetesenv instances: - attributes.kubernetes --- apiVersion: "config.istio.io/v1alpha2" kind: rule metadata: name: tcpkubeattrgenrulerule namespace: {{ .Release.Namespace }} spec: match: context.protocol == "tcp" actions: - handler: handler.kubernetesenv instances: - attributes.kubernetes --- apiVersion: "config.istio.io/v1alpha2" kind: kubernetes metadata: name: attributes namespace: {{ .Release.Namespace }} spec: # Pass the required attribute data to the adapter source_uid: source.uid | "" source_ip: source.ip | ip("0.0.0.0") # default to unspecified ip addr destination_uid: destination.uid | "" destination_port: destination.port | 0 attribute_bindings: # Fill the new attributes from the adapter produced output. # $out refers to an instance of OutputTemplate message source.ip: $out.source_pod_ip | ip("0.0.0.0") source.uid: $out.source_pod_uid | "unknown" source.labels: $out.source_labels | emptyStringMap() source.name: $out.source_pod_name | "unknown" source.namespace: $out.source_namespace | "default" source.owner: $out.source_owner | "unknown" source.serviceAccount: $out.source_service_account_name | "unknown" source.workload.uid: $out.source_workload_uid | "unknown" source.workload.name: $out.source_workload_name | "unknown" source.workload.namespace: $out.source_workload_namespace | "unknown" destination.ip: $out.destination_pod_ip | ip("0.0.0.0") destination.uid: $out.destination_pod_uid | "unknown" destination.labels: $out.destination_labels | emptyStringMap() destination.name: $out.destination_pod_name | "unknown" destination.container.name: $out.destination_container_name | "unknown" destination.namespace: $out.destination_namespace | "default" destination.owner: $out.destination_owner | "unknown" destination.serviceAccount: $out.destination_service_account_name | "unknown" destination.workload.uid: $out.destination_workload_uid | "unknown" destination.workload.name: $out.destination_workload_name | "unknown" destination.workload.namespace: $out.destination_workload_namespace | "unknown" --- # Configuration needed by Mixer. # Mixer cluster is delivered via CDS # Specify mixer cluster settings apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: istio-policy namespace: {{ .Release.Namespace }} spec: host: istio-policy.{{ .Release.Namespace }}.svc.cluster.local trafficPolicy: {{- if .Values.global.controlPlaneSecurityEnabled }} portLevelSettings: - port: number: 15004 tls: mode: ISTIO_MUTUAL {{- end}} connectionPool: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: istio-telemetry namespace: {{ .Release.Namespace }} spec: host: istio-telemetry.{{ .Release.Namespace }}.svc.cluster.local trafficPolicy: {{- if .Values.global.controlPlaneSecurityEnabled }} portLevelSettings: - port: number: 15004 tls: mode: ISTIO_MUTUAL {{- end}} connectionPool: http: http2MaxRequests: 10000 maxRequestsPerConnection: 10000 ---